Aug 11 2020 01:49 AM
Aug 11 2020 01:49 AM
After deploying the security baselines which enables the ASR rule 'Block Office communication application from creating child processes' (26190899-1602-49E8-8B27-EB1D0A1CE869) users are no longer able to launch Teams meetings from a calendar entry in Outlook.
The following is logged:
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 26190899-1602-49E8-8B27-EB1D0A1CE869 Detection time: 2020-08-11T07:03:51.689Z User: CACT\user Path: C:\ProgramData\user\Microsoft\Teams\current\Teams.exe Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Security intelligence Version: 1.321.1142.0 Engine Version: 1.1.17300.4 Product Version: 4.18.2007.8
Is it possible to create an exception only for the Teams client to launch as it is installed on a per-user basis?
Aug 13 2020 10:48 PM
@Tom13984 Which Windows 10-version have you seen this one on? Multiple different versions? Your PC's have W10 E3 as license?
Feels odd, I have this ASR-rule in block on multiple computers where this problem have not surfaced. In 124 examples only excel, powerpoint and word has been affected in an example environment and these users/computers have accessed teams-meetings from outlook.
Aug 13 2020 11:56 PM
Aug 14 2020 01:13 AM
@Tom13984 No problems. I haven't encountered this issue. I tested the rule and opened a Teams-meeting in Outlook on a Windows 2004 + with E5. Maybe it's related to your office-patch level somehow? Do you run O365 C2R SAC? If I were you I would open a case to Microsoft, this can't be expected behaviour.
Anyway, when you have E5 you can exclude stuff here: https://security.microsoft.com/asr?viewid=exclusions
Dec 03 2021 10:55 AM
Jun 13 2022 07:54 AM
Hi, I'm in the same case of you. I try to active this ASR rule but for around of 2500 employes only 4-5 users have this issue. I don't find why only some users... I don't want to do a exception only for that, and create a breach of security. Do you find anythings since your last posts?
Thank you for your help!